CLI: Example for Configuring RIP to Import External Routes
You can configure the router to implement route interaction among different RIP processes and configure the ACL to filter imported routes.
Networking Requirements
As shown in Figure 1, two RIP processes, RIP 100 and RIP 200, run on FW_B. FW_B exchanges routing information with FW_A through RIP 100. FW_B exchanges routing information with FW_C through RIP 200.
It is required that the two processes of FW_B import the RIP routes from each other. The cost of the imported RIP 200 routes defaults to 3.
It is required that a filtering policy be configured on FW_B to filter out the imported RIP 200 route 192.168.4.0/24 and prevent it from being advertised to FW_A.
Configuration Roadmap
The configuration roadmap is as follows:
- Enable RIP100 and specify network segments on FW_A and FW_B; enable RIP200 and specify network segments on FW_B and FW_C.
- Configure the two processes on FW_B to import the routes from each other and set the default cost of the imported RIP 200 routes to 3.
- Configure an ACL on FW_B to filter the routes imported from RIP 200.
Data Preparation
To complete the configuration, you need the following data:
- RIP 100 on FW_A and the network segment 192.168.1.0 and 192.168.0.0
- RIP 100 and RIP 200 on FW_B and the network segment 192.168.1.0 and 192.168.2.0
- RIP 200 on FW_C and the network segment 192.168.2.0, 192.168.3.0, and 192.168.4.0
Procedure
- Set the IP addresses for the interfaces, add the interfaces to security zones, and configure the interzone security policy.
# Configure FW_A.
<FW> system-view [FW] sysname FW_A [FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ip address 192.168.1.1 24 [FW_A-GigabitEthernet0/0/1] quit [FW_A] interface GigabitEthernet 0/0/2 [FW_A-GigabitEthernet0/0/2] ip address 192.168.0.1 24 [FW_A-GigabitEthernet0/0/2] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/1 [FW_A-zone-trust] add interface GigabitEthernet 0/0/2 [FW_A-zone-trust] quit [FW_A] security-policy [FW_A-policy-security] rule name policy_sec_1 [FW_A-policy-security-rule-policy_sec_1] source-zone trust local [FW_A-policy-security-rule-policy_sec_1] destination-zone local trust [FW_A-policy-security-rule-policy_sec_1] action permit [FW_A-policy-security-rule-policy_sec_1] quit
# Configure FW_B.
<FW> system-view [FW] sysname FW_B [FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] ip address 192.168.1.2 24 [FW_B-GigabitEthernet0/0/1] quit [FW_B] interface GigabitEthernet 0/0/2 [FW_B-GigabitEthernet0/0/2] ip address 192.168.2.1 24 [FW_B-GigabitEthernet0/0/2] quit [FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 0/0/1 [FW_B-zone-trust] add interface GigabitEthernet 0/0/2 [FW_B-zone-trust] quit [FW_B] security-policy [FW_B-policy-security] rule name policy_sec_1 [FW_B-policy-security-rule-policy_sec_1] source-zone trust local [FW_B-policy-security-rule-policy_sec_1] destination-zone local trust [FW_B-policy-security-rule-policy_sec_1] action permit [FW_B-policy-security-rule-policy_sec_1] quit
# Configure FW_C.
<FW> system-view [FW] sysname FW_C [FW_C] interface GigabitEthernet 0/0/1 [FW_C-GigabitEthernet0/0/1] ip address 192.168.2.2 24 [FW_C-GigabitEthernet0/0/1] quit [FW_C] interface GigabitEthernet 0/0/2 [FW_C-GigabitEthernet0/0/2] ip address 192.168.3.1 24 [FW_C-GigabitEthernet0/0/2] quit [FW_C] interface GigabitEthernet 0/0/3 [FW_C-GigabitEthernet0/0/3] ip address 192.168.4.1 24 [FW_C-GigabitEthernet0/0/3] quit [FW_C] firewall zone trust [FW_C-zone-trust] add interface GigabitEthernet 0/0/1 [FW_C-zone-trust] add interface GigabitEthernet 0/0/2 [FW_C-zone-trust] add interface GigabitEthernet 0/0/3 [FW_C-zone-trust] quit [FW_C] security-policy [FW_C-policy-security] rule name policy_sec_1 [FW_C-policy-security-rule-policy_sec_1] source-zone trust local [FW_C-policy-security-rule-policy_sec_1] destination-zone local trust [FW_C-policy-security-rule-policy_sec_1] action permit [FW_C-policy-security-rule-policy_sec_1] quit
- Configure basic RIP functions.
# Enable RIP process 100 on FW_A.
[FW_A] rip 100 [FW_A-rip-100] network 192.168.0.0 [FW_A-rip-100] network 192.168.1.0 [FW_A-rip-100] quit
# Enable the two RIP processes, process 100 and process 200, on FW_B.
[FW_B] rip 100 [FW_B-rip-100] network 192.168.1.0 [FW_B-rip-100] quit [FW_B] rip 200 [FW_B-rip-200] network 192.168.2.0 [FW_B-rip-200] quit
# Enable RIP process 200 on FW_C.
[FW_C] rip 200 [FW_C-rip-200] network 192.168.2.0 [FW_C-rip-200] network 192.168.3.0 [FW_C-rip-200] network 192.168.4.0 [FW_C-rip-200] quit
# Check the routing table of FW_A.
[FW_A] display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 6 Routes : 6 Destination/Mask Proto Pre Cost Flags NextHop Interface 192.168.0.0/24 Direct 0 0 D 192.168.0.1 GigabitEthernet0/0/2 192.168.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet0/0/1 192.168.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
- Configure RIP to import external routes.
# Set the default route cost to 3 on FW_B and import the routes of the two RIP processes into the routing table of each other.
[FW_B] rip 100 [FW_B-rip-100] default-cost 3 [FW_B-rip-100] import-route rip 200 [FW_B-rip-100] quit [FW_B] rip 200 [FW_B-rip-200] import-route rip 100 [FW_B-rip-200] quit
# Check the routing table of FW_A after the routes are imported.
[FW_A] display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 9 Routes : 9 Destination/Mask Proto Pre Cost Flags NextHop Interface 192.168.0.0/24 Direct 0 0 D 192.168.0.1 GigabitEthernet0/0/2 192.168.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet0/0/1 192.168.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.2.0/24 RIP 100 4 D 192.168.1.2 GigabitEthernet0/0/1 192.168.3.0/24 RIP 100 4 D 192.168.1.2 GigabitEthernet0/0/1 192.168.4.0/24 RIP 100 4 D 192.168.1.2 GigabitEthernet0/0/1 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
- Configure RIP to filter the imported routes.
# Configure an ACL on FW_B and set a rule to deny the packets with the source address of 192.168.4.0/24.
[FW_B] acl 2000 [FW_B-acl-basic-2000] rule deny source 192.168.4.0 0.0.0.255 [FW_B-acl-basic-2000] rule permit [FW_B-acl-basic-2000] quit
# Filter out the imported route 192.168.4.0/24 of RIP 200 on FW_B according to the ACL rule.
[FW_B] rip 100 [FW_B-rip-100] filter-policy 2000 export [FW_B-rip-100] quit
- Verify the configuration.
# Check the routing table of FW_A after the filtering.
[FW_A] display ip routing-table Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: Public Destinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface 192.168.0.0/24 Direct 0 0 D 192.168.0.1 GigabitEthernet0/0/2 192.168.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.1.0/24 Direct 0 0 D 192.168.1.1 GigabitEthernet0/0/1 192.168.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.2.0/24 RIP 100 4 D 192.168.1.2 GigabitEthernet0/0/1 192.168.3.0/24 RIP 100 4 D 192.168.1.2 GigabitEthernet0/0/1 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
Configuration Scripts
Configuration script for FW_A:
# sysname FW_A # interface GigabitEthernet0/0/1 undo shutdown ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet0/0/2 undo shutdown ip address 192.168.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 add interface GigabitEthernet0/0/2 # security-policy rule name policy_sec_1 source-zone trust source-zone local destination-zone local destination-zone trust action permit # rip 100 network 192.168.0.0 network 192.168.1.0 # return
Configuration script for FW_B:
# sysname FW_B # acl number 2000 rule 5 deny source 192.168.4.0 0.0.0.255 rule 10 permit # interface GigabitEthernet0/0/1 undo shutdown ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet0/0/2 undo shutdown ip address 192.168.2.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 add interface GigabitEthernet0/0/2 # security-policy rule name policy_sec_1 source-zone trust source-zone local destination-zone local destination-zone trust action permit # rip 100 default-cost 3 network 192.168.1.0 filter-policy 2000 export import-route rip 200 # rip 200 network 192.168.2.0 import-route rip 100 # return
Configuration script for FW_C:
# sysname FW_C # interface GigabitEthernet0/0/1 undo shutdown ip address 192.168.2.2 255.255.255.0 # interface GigabitEthernet0/0/2 undo shutdown ip address 192.168.3.1 255.255.255.0 # interface GigabitEthernet0/0/3 undo shutdown ip address 192.168.4.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 add interface GigabitEthernet0/0/2 add interface GigabitEthernet0/0/3 # security-policy rule name policy_sec_1 source-zone trust source-zone local destination-zone local destination-zone trust action permit # rip 100 network 192.168.2.0 network 192.168.3.0 network 192.168.4.0 # return